Ansible for Post-Quantum Cryptography: Migrate TLS, SSH & PKI (2026 Guide)

NIST finalized three post-quantum cryptography (PQC) standards in 2024: ML-KEM (key encapsulation), ML-DSA (digital signatures), and SLH-DSA (stateless hash-based signatures). Migration pressure is increasing as organizations must transition before quantum computers break current RSA and ECC cryptography. Ansible automates the cryptographic inventory, configuration updates, and certificate migration across thousands of servers.

Why Automate PQC Migration?

| Challenge | Scale | Ansible Solution | |-----------|-------|-----------------| | Audit SSH key algorithms | Every server | Playbook scans all hosts | | Update TLS cipher suites | Every web server, load balancer | Template-driven config updates | | Rotate certificates | Thousands of certs | Automated cert generation + deployment | | Verify compliance | Continuous | Scheduled audit playbooks | | Rollback if issues | Instant | Check mode + staged rollout |

See also: Ansible for Data Sovereignty & Geopatriation: Manage Sovereign Cloud Infrastructure (2026 Guide)

Cryptographic Inventory Audit

Scan SSH Algorithms

- name: Audit SSH cryptographic algorithms
  hosts: all
  become: true
  tasks:
    - name: Get current SSH host key algorithms
      ansible.builtin.command: ssh -Q key
      register: ssh_key_algos
      changed_when: false
- name: Get current SSH ciphers
      ansible.builtin.command: ssh -Q cipher
      register: ssh_ciphers
      changed_when: false
- name: Check for weak SSH host keys
      ansible.builtin.find:
        paths: /etc/ssh
        patterns:
          - "ssh_host_dsa_key*"
          - "ssh_host_rsa_key*"    # RSA < 3072 bits vulnerable
      register: weak_keys
- name: Collect current sshd_config algorithms
      ansible.builtin.shell: |
        grep -E "^(KexAlgorithms|Ciphers|MACs|HostKeyAlgorithms|PubkeyAcceptedKeyTypes)" /etc/ssh/sshd_config || echo "DEFAULTS"
      register: sshd_crypto
      changed_when: false
- name: Generate crypto audit report
      ansible.builtin.copy:
        content: |
          Host: {{ inventory_hostname }}
          Date: {{ ansible_date_time.iso8601 }}
          SSH Key Algorithms: {{ ssh_key_algos.stdout_lines | join(', ') }}
          Weak Keys Found: {{ weak_keys.files | map(attribute='path') | list }}
          Current Config: {{ sshd_crypto.stdout }}
        dest: "/tmp/crypto-audit-{{ inventory_hostname }}.txt"
      delegate_to: localhost

Scan TLS Certificates

- name: Audit TLS certificates for PQC readiness
  hosts: web_servers
  tasks:
    - name: Check certificate algorithm
      ansible.builtin.command: >
        openssl x509 -in {{ item }} -noout -text
        -certopt no_subject,no_issuer,no_version,no_serial,no_validity,no_extensions
      loop:
        - /etc/ssl/certs/server.crt
        - /etc/nginx/ssl/cert.pem
      register: cert_info
      changed_when: false
      failed_when: false
- name: Flag RSA certificates needing migration
      ansible.builtin.debug:
        msg: "⚠️ {{ item.item }} uses {{ 'RSA' if 'rsaEncryption' in item.stdout else 'ECDSA' }} — needs PQC migration plan"
      loop: "{{ cert_info.results }}"
      when: item.rc == 0 and ('rsaEncryption' in item.stdout or 'ecdsa' in item.stdout)

Harden SSH for Post-Quantum Era

Configure SSH with Strong Algorithms

- name: Harden SSH configuration for PQC transition
  hosts: all
  become: true
  vars:
    ssh_kex_algorithms:
      - sntrup761x25519-sha512@openssh.com   # Hybrid PQC KEX (available in OpenSSH 9.0+)
      - curve25519-sha256
      - curve25519-sha256@libssh.org
      - diffie-hellman-group18-sha512
      - diffie-hellman-group16-sha512
    ssh_host_key_algorithms:
      - ssh-ed25519
      - ssh-ed25519-cert-v01@openssh.com
      - rsa-sha2-512
      - rsa-sha2-256
    ssh_ciphers:
      - chacha20-poly1305@openssh.com
      - aes256-gcm@openssh.com
      - aes128-gcm@openssh.com
    ssh_macs:
      - hmac-sha2-512-etm@openssh.com
      - hmac-sha2-256-etm@openssh.com
tasks:
    - name: Check OpenSSH version for PQC support
      ansible.builtin.command: ssh -V
      register: ssh_version
      changed_when: false
- name: Configure sshd for PQC-ready algorithms
      ansible.builtin.template:
        src: sshd_config_pqc.j2
        dest: /etc/ssh/sshd_config.d/99-pqc-hardening.conf
        owner: root
        group: root
        mode: '0600'
        validate: "sshd -t -f %s"
      notify: restart sshd
- name: Remove weak SSH host keys
      ansible.builtin.file:
        path: "{{ item }}"
        state: absent
      loop:
        - /etc/ssh/ssh_host_dsa_key
        - /etc/ssh/ssh_host_dsa_key.pub
      notify: restart sshd
- name: Generate Ed25519 host key if missing
      ansible.builtin.command: ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
      args:
        creates: /etc/ssh/ssh_host_ed25519_key
      notify: restart sshd

sshd_config Template

# PQC-Hardened SSH Configuration
# Managed by Ansible — do not edit manually
# Key Exchange — sntrup761 is hybrid PQC (lattice + X25519)
KexAlgorithms {{ ssh_kex_algorithms | join(',') }}
# Host Key Algorithms
HostKeyAlgorithms {{ ssh_host_key_algorithms | join(',') }}
# Ciphers
Ciphers {{ ssh_ciphers | join(',') }}
# MACs
MACs {{ ssh_macs | join(',') }}
# Disable weak key types
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# Modern key exchange parameters
RekeyLimit 1G 1h

See also: Ansible for AI Security: Protect Models, APIs & Data Pipelines (2026 Guide)

Configure PQC-Ready TLS

Nginx with Hybrid PQC Cipher Suites

- name: Configure Nginx for PQC-ready TLS
  hosts: web_servers
  become: true
  vars:
    tls_protocols: "TLSv1.3"
    # X25519Kyber768 is hybrid PQC available in Chrome/Firefox/BoringSSL
    tls_curves: "X25519Kyber768Draft00:X25519:P-256:P-384"
tasks:
    - name: Check OpenSSL version for PQC support
      ansible.builtin.command: openssl version
      register: openssl_version
      changed_when: false
- name: Deploy PQC-ready Nginx TLS config
      ansible.builtin.template:
        src: nginx-tls-pqc.conf.j2
        dest: /etc/nginx/conf.d/tls-pqc.conf
        mode: '0644'
      notify: reload nginx
- name: Test Nginx configuration
      ansible.builtin.command: nginx -t
      changed_when: false

Nginx TLS Template

# PQC-Ready TLS Configuration
# Managed by Ansible
ssl_protocols {{ tls_protocols }};
ssl_prefer_server_ciphers off;
# Enable hybrid PQC key exchange
ssl_ecdh_curve {{ tls_curves }};
# HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
ssl_session_timeout 1d;
ssl_session_cache shared:PQC_SSL:50m;
ssl_session_tickets off;

Compliance Reporting

- name: Generate PQC readiness compliance report
  hosts: all
  tasks:
    - name: Gather cryptographic facts
      ansible.builtin.set_fact:
        crypto_report:
          hostname: "{{ inventory_hostname }}"
          ssh_pqc_kex: "{{ 'sntrup761' in (ssh_kex_available | default('')) }}"
          openssl_version: "{{ openssl_ver | default('unknown') }}"
          tls_1_3_enabled: "{{ tls13_status | default(false) }}"
          weak_rsa_keys: "{{ weak_key_count | default(0) }}"
- name: Write compliance report
      ansible.builtin.template:
        src: pqc-compliance-report.html.j2
        dest: "/var/reports/pqc-readiness-{{ ansible_date_time.date }}.html"
      delegate_to: localhost
      run_once: true

See also: Ansible for Preemptive Cybersecurity: Proactive Defense Automation (2026 Guide)

Migration Roadmap

| Phase | Timeline | Ansible Actions | |-------|----------|-----------------| | Audit | Month 1 | Inventory all SSH keys, TLS certs, crypto algorithms | | Harden | Month 2-3 | Remove DSA, enforce Ed25519, enable sntrup761 KEX | | Hybrid TLS | Month 3-6 | Deploy X25519Kyber768 hybrid cipher suites | | Certificate Rotation | Month 6-12 | Migrate to PQC-ready CA, issue hybrid certificates | | Full PQC | 2027+ | Pure PQC algorithms once widely supported |

FAQ

What is post-quantum cryptography and why should I prepare now?

Post-quantum cryptography uses algorithms resistant to quantum computer attacks. NIST finalized standards (ML-KEM, ML-DSA, SLH-DSA) in 2024. "Harvest now, decrypt later" attacks mean encrypted data captured today could be decrypted by future quantum computers, making migration urgent.

Can Ansible automate PQC migration?

Yes. Ansible audits cryptographic configurations across your infrastructure, updates SSH algorithms, configures TLS cipher suites, rotates certificates, and generates compliance reports — all at scale across thousands of servers.

What is sntrup761x25519 in SSH?

It's a hybrid key exchange combining a post-quantum algorithm (NTRU Prime/sntrup761) with classical X25519. Available in OpenSSH 9.0+, it provides quantum resistance while maintaining classical security as a fallback.

How do I enable PQC in TLS?

Modern browsers support hybrid PQC via X25519Kyber768. Configure your web server (Nginx, Apache) to include this in ssl_ecdh_curve with TLS 1.3. Requires OpenSSL 3.2+ or BoringSSL.

Conclusion

Post-quantum cryptography migration is not optional — it's a matter of when, not if. Ansible provides the automation framework to audit, harden, and migrate cryptographic configurations at scale, turning a multi-year manual effort into repeatable, version-controlled playbooks.

Related Articles

• Ansible Vault: Encrypt Secrets • Ansible no_log: Hide Sensitive Output • Ansible for Agentic AI: Multi-Agent Systems